from the 1324-Middle-Finger-Extended-Blvd. dept

Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors.

Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.

The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers…

"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.

"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."

Stewart acknowledges that Cisco's modified dead drop shipping operations aren't foolproof, but will at least force the agency to do a little more research before intercepting packages. Stewart also noted that some customers aren't taking any chances, opting to pick up their hardware from Cisco directly.

There are also variables Cisco simply can't control, like the possibility of inbound components from upline manufacturers arriving pre-compromised. But it's doing what it can to ensure that "Cisco" isn't synonymous with "spyware."

Then there's always the possibility that the government may find Cisco's new routing methods to be quasi-fraudulent and force the company to plainly state where each package is actually going. No response has been issued by the ODNI or NSA to this news, and most likely, none will be forthcoming. Any statement on Cisco's fictitious routing would tip its hand.

Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound, but this seems to be more a public display of pique than a surefire way to eliminate most of the NSA's hardware interceptions. It also sends a message to the NSA, one it's been hearing more and more of over the last couple of years: the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.

from the a-slight-detour dept

So this one is odd. A core Tor developer, Andrea Shepard, recently ordered a computer from Amazon.com to her home in Seattle. Yet, as she tweeted last night, something odd happened on the way to delivering that package to her house:

Also, some more details from PrivacySOS. As you can see, rather than go from the Amazon warehouse in Santa Ana, California up the coast to Seattle, instead the package went across the country to Dulles, Virginia to Alexandria (right outside of DC) and was "delivered" there. Upon seeing this, my initial reaction was that it might not be a big deal. With shipping logistics these days, it's not uncommon to see a sort of hub system, where packages travel across the country from one warehouse to a shipping hub, only to be shipped back across the country for actual delivery.

But that does not appear to be what happened here at all. As Kade from PrivacySOS pointed out, the final Alexandria address is the final delivery location, rather than the sign of something in process. Also, the fact that it bounced around and then went "out for delivery" to that address shows that it wasn't just popping in and out of a hub for delivery to Seattle.

There are some possible other explanations, including just a general screw-up on the part of Amazon. But given the revelations of how the NSA's TAO group does very targeted spying, that often involves getting access to computers being shipped to targets, combined with the fact that the NSA has made it clear that breaking Tor is a priority that has mostly stymied them, this certainly should raise multiple eyebrows.

from the perhaps-google-the-person-you're-contacting-first dept

Via Chris Soghoian, we learn that a Saudi Arabian telecom company (one of just two) contacted well-known pro-privacy researcher Moxie Marlinspike recently to see if he might help them intercept communications from a variety of popular communications apps, including Twitter, Viber, Line and WhatsApp. Curious about what they wanted, Marlinspike emailed with them a bit, and then published what he was told -- including the fact that they later told him they very quickly and easily figured out how to intercept WhatsApp communications. Eventually, he told them that he wouldn't work with them, and the guy he was communicating with told him by not helping the Saudi government intercept communications, he was helping the terrorists:

I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.

From there, however, Marlinspike goes on into a very interesting discussion, well worth reading, about changes in the hacker/security community lately and the lucrative business of selling 0day exploits (often to governments) rather than publishing them and getting things fixed.

Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.

Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.

Exploits will be exploited. Helping anyone to make use of them means that eventually they're going to get exploited by others in ways you might not agree with.